CVE-2025-59531

描述

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0 through 2.14.19, 3.0.0 through 3.2.0, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.1.8 and 3.0.19.

受影響套件(7)

• Bitnami/argo-cd>= 1.2.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
• Go/github.com/argoproj/argo-cd>= 1.2.0, <= 1.8.7
• Go/github.com/argoproj/argo-cd>= 1.2.0
• Go/github.com/argoproj/argo-cd/v2from 0, < 2.14.20
• Go/github.com/argoproj/argo-cd/v2>= 2.0.0-rc1, < 2.14.20
• Go/github.com/argoproj/argo-cd/v3>= 3.0.0-rc1, < 3.0.19, >= 3.1.0-rc1, < 3.1.8, >= 3.2.0-rc1, < 3.2.0-rc2
• Go/github.com/argoproj/argo-cd/v3>= 3.2.0-rc1, < 3.2.0-rc2

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-59531
• PATCHhttps://github.com/argoproj/argo-cd
• WEBhttps://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f
• WEBhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc
• WEBhttps://pkg.go.dev/vuln/GO-2025-3993